Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

AI Security

MCP server security for AI coding agents

A critical RCE in Anthropic's own MCP Inspector (CVSS 9.4) and two Cursor CVEs show that giving AI agents tool access creates a new, largely unvetted attack surface.

Jul 9, 20267 min read
Supply Chain Attacks

The npm worm incident response playbook

Shai-Hulud compromised 500+ npm packages by auto-publishing itself with stolen tokens. Here's a concrete detection, rotation, and pinning playbook.

Jul 9, 20265 min read
Open Source Security

The 4 dimensions of open-source dependency risk

Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.

Jul 9, 20267 min read
Vulnerability Management

SBOM-based blast radius analysis for vulnerable dependencies

An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.

Jul 9, 20266 min read
AI Security

Auditing AI agent skill registries for hardcoded keys

29M new hardcoded secrets hit public GitHub in 2025, up 34% YoY — and 3% of MCP servers in production carry hardcoded credentials as theft traps.

Jul 9, 20267 min read
AI Security

Signing and provenance standards for AI agent skill registries

Shai-Hulud infected 500+ npm packages via stolen tokens in 2025. Agent skill registries are repeating the same unsigned-artifact mistake — here's the fix.

Jul 9, 20267 min read
Supply Chain Attacks

Reconstructing the tj-actions/changed-files compromise

CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.

Jul 9, 20266 min read
Best Practices

Verifying open source package provenance with SLSA and Sigstore

A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.

Jul 9, 20267 min read
Security Guides

Python Dependency Scanning: A Practical Guide

Your code is a small fraction of what ships. This is how to inventory, scan, and continuously monitor the Python dependency tree that makes up the rest.

Jul 8, 20265 min read
FAQ

AI Agents and Supply Chain Security FAQ: 2026 Answers

Answers on where AI agents meet software supply chain security — the dependencies agents pull in, hallucinated packages, MCP servers as components, AIBOMs, and how Safeguard keeps the agentic supply chain governed.

Jul 8, 20265 min read
Buyer's Guides

The Best Software Supply Chain Security Platforms in 2026

Supply-chain security has grown from SCA into a platform category spanning SBOMs, build integrity, and malicious-package defense. This balanced guide compares Snyk, Sonatype, Chainguard, Endor Labs, Socket, and Safeguard.

Jul 8, 20266 min read
Cloud Security

Cloud-Native Supply Chain Security: From Source to Runtime

A stage-by-stage guide to securing the cloud-native software supply chain — source, dependencies, build, artifacts, and deploy — using SBOMs, SLSA provenance, signing, and admission policy.

Jul 8, 20265 min read
supply-chain-security (Page 7) — Safeguard Blog